From 075debe5043f9254d2a6aa741eade09b74f38872 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Sat, 26 Nov 2022 20:46:08 +0000 Subject: [PATCH 1/4] Turn on markup normalisation by default --- lib/pleroma/web/activity_pub/mrf.ex | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/web/activity_pub/mrf.ex b/lib/pleroma/web/activity_pub/mrf.ex index 0d4986e68..064ffc527 100644 --- a/lib/pleroma/web/activity_pub/mrf.ex +++ b/lib/pleroma/web/activity_pub/mrf.ex @@ -140,7 +140,8 @@ defmodule Pleroma.Web.ActivityPub.MRF do |> get_policies() |> Enum.concat([ Pleroma.Web.ActivityPub.MRF.HashtagPolicy, - Pleroma.Web.ActivityPub.MRF.InlineQuotePolicy + Pleroma.Web.ActivityPub.MRF.InlineQuotePolicy, + Pleroma.Web.ActivityPub.MRF.NormalizeMarkup ]) |> Enum.uniq() end From c379618b34403010d383588902018d08a9fad92f Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Sat, 26 Nov 2022 20:52:49 +0000 Subject: [PATCH 2/4] Add tests, changelog entry --- CHANGELOG.md | 1 + test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs | 2 ++ test/pleroma/web/activity_pub/mrf_test.exs | 4 ++-- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6a5402da1..4b7b7e836 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Changed - MastoAPI: Accept BooleanLike input on `/api/v1/accounts/:id/follow` (fixes follows with mastodon.py) - Relays from akkoma are now off by default +- NormalizeMarkup MRF is now on by default ## 2022.11 diff --git a/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs b/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs index 52a23fdca..133485a86 100644 --- a/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs +++ b/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs @@ -15,6 +15,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do this is a link with not allowed "rel" attribute: example.com this is an image:
+
mean
""" @expected """ @@ -25,6 +26,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do this is a link with not allowed "rel" attribute: example.com this is an image:
alert('hacked') + mean """ test "it filter html tags" do diff --git a/test/pleroma/web/activity_pub/mrf_test.exs b/test/pleroma/web/activity_pub/mrf_test.exs index f04c69afb..86ad0ab6b 100644 --- a/test/pleroma/web/activity_pub/mrf_test.exs +++ b/test/pleroma/web/activity_pub/mrf_test.exs @@ -77,7 +77,7 @@ defmodule Pleroma.Web.ActivityPub.MRFTest do clear_config([:mrf, :policies], [Pleroma.Web.ActivityPub.MRF.NoOpPolicy]) expected = %{ - mrf_policies: ["NoOpPolicy", "HashtagPolicy", "InlineQuotePolicy"], + mrf_policies: ["NoOpPolicy", "HashtagPolicy", "InlineQuotePolicy", "NormalizeMarkup"], mrf_hashtag: %{ federated_timeline_removal: [], reject: [], @@ -93,7 +93,7 @@ defmodule Pleroma.Web.ActivityPub.MRFTest do clear_config([:mrf, :policies], [MRFModuleMock]) expected = %{ - mrf_policies: ["MRFModuleMock", "HashtagPolicy", "InlineQuotePolicy"], + mrf_policies: ["MRFModuleMock", "HashtagPolicy", "InlineQuotePolicy", "NormalizeMarkup"], mrf_module_mock: "some config data", mrf_hashtag: %{ federated_timeline_removal: [], From 2fd45e0cb68c60769bf4a6c63ca0213536cfe79e Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Sat, 26 Nov 2022 21:05:04 +0000 Subject: [PATCH 3/4] document normalizemarkup and inlinequote MRFs --- docs/docs/configuration/cheatsheet.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/docs/configuration/cheatsheet.md b/docs/docs/configuration/cheatsheet.md index 94c32f2a8..517fd1993 100644 --- a/docs/docs/configuration/cheatsheet.md +++ b/docs/docs/configuration/cheatsheet.md @@ -120,6 +120,8 @@ To add configuration to your config file, you can copy it from the base config. * `Pleroma.Web.ActivityPub.MRF.FollowBotPolicy`: Automatically follows newly discovered users from the specified bot account. Local accounts, locked accounts, and users with "#nobot" in their bio are respected and excluded from being followed. * `Pleroma.Web.ActivityPub.MRF.AntiFollowbotPolicy`: Drops follow requests from followbots. Users can still allow bots to follow them by first following the bot. * `Pleroma.Web.ActivityPub.MRF.KeywordPolicy`: Rejects or removes from the federated timeline or replaces keywords. (See [`:mrf_keyword`](#mrf_keyword)). + * `Pleroma.Web.ActivityPub.MRF.NormalizeMarkup`: Pass inbound HTML through a scrubber to make sure it doesn't have anything unusual in it. On by default, cannot be turned off. + * `Pleroma.Web.ActivityPub.MRF.InlineQuotePolicy`: Append a link to a post that quotes another post with the link to the quoted post, to ensure that software that does not understand quotes can have full context. On by default, cannot be turned off. * `transparency`: Make the content of your Message Rewrite Facility settings public (via nodeinfo). * `transparency_exclusions`: Exclude specific instance names from MRF transparency. The use of the exclusions feature will be disclosed in nodeinfo as a boolean value. * `transparency_obfuscate_domains`: Show domains with `*` in the middle, to censor them if needed. For example, `ridingho.me` will show as `rid*****.me` From 5bb95256ee2cd0609b6c821820f165a9e6b6c57f Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Sat, 26 Nov 2022 21:15:10 +0000 Subject: [PATCH 4/4] weirdly no, images should not have classes --- priv/scrubbers/default.ex | 1 - test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/priv/scrubbers/default.ex b/priv/scrubbers/default.ex index 950b6c21e..771f27ac1 100644 --- a/priv/scrubbers/default.ex +++ b/priv/scrubbers/default.ex @@ -98,7 +98,6 @@ defmodule Pleroma.HTML.Scrubber.Default do Meta.allow_tag_with_these_attributes(:img, [ "width", "height", - "class", "title", "alt" ]) diff --git a/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs b/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs index 133485a86..739d9b49c 100644 --- a/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs +++ b/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs @@ -16,6 +16,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do this is an image:
mean
+ """ @expected """ @@ -27,6 +28,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do this is an image:
alert('hacked') mean + """ test "it filter html tags" do